[Dshield] Firewall/Spam defense

John Sage jsage at finchhaven.com
Tue Oct 21 12:16:08 GMT 2003

I think you have provided the most important part of an answer within
your very own question.

On Tue, Oct 21, 2003 at 03:17:21AM -0500, Father Peter Darin wrote:
> Hello, 
> In lieu of the recent RBL issues, I've recently started a research project 
> on controlling spam via the firewall.  My research involves finding DHCP or 
> dial-up ip addresses and blocking the for a period of time if the ip 
> registers a connect on port 25. 
> As the ip address is seen in recurrence, the block out time increses.  I've 
> had about a 35% seccuss ratio.  The ratio increases as my users continue to 
> identify spam. 
> With the RBL's, at best we achieved about 10% effeciency and 5% loss of 
> legitimate mail. 
> My questions are as follows: 
> 1.  Is there a definitive way to get a list of dynamic IP blocks? 
> 2.  I am interested in any opinions of this research. 
> I am looking to improve my tactics in identifing dynamic IP addresses and 
> also to determine the long term viability of the project. 
> To date, I have determined 1.5 million dynamic addresses. 

So you have already "determined 1.5 million dynamic addresses"?

You mean you're already blocking that many? How many more are you
willing to block before you run out of CPU power/disk space to keep
adding new addresses to your block list?


What is the very nature of a dynamic IP address?

It's dynamic. It changes. Here at home I'm on a dialup; 24 hours ago I
had a different IP address than the one I have right now; 24 hours
from now I'll have yet another.

If I were to spam you yesterday, and you block that IP address, I can
spam you today with impunity. I can spam you again tomorrow, and your
blocks from yesterday and today are futile.

Do you see where I'm going with this?

By their very nature, what you are apparently trying to block is
transient, and a spammer that has used one IP address once will very
likely never use it again.

Having said that, the blocking of dynamic IP address -> ranges <-
might be of limited usefulness, but that too would be hard to manage.

What to do? What to do?

I would suggest another methodology entirely; not being much involved
with what you're really trying to do, I'll hope someone else will step


- John
"Most people don't type their own logfiles;  but, what do I care?"
John Sage: InfoSec Groupie
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.

More information about the list mailing list